[Paper] Securing the Dark Matter: A Semantic-Enhanced Neuro-Symbolic Framework for Supply Chain Analysis of Opaque Industrial Software

Source: arXiv - 2605.07737v1

Overview

The paper tackles a painful reality for security teams: many critical‑infrastructure applications are shipped only as stripped binaries, leaving traditional Software Composition Analysis (SCA) blind. By marrying abstract interpretation, large‑language‑model (LLM) prompting, and graph‑based reasoning, the authors build a neuro‑symbolic pipeline that can re‑extract rich behavioral semantics from opaque binaries and reason about supply‑chain risks at scale.

Key Contributions

• Semantic‑enhanced neuro‑symbolic framework that fuses static analysis with a constrained LLM to lift binary code into a high‑level knowledge graph.
• Reflexive prompting pipeline that uses abstract‑interpretation results to steer the LLM, dramatically cutting hallucinations while preserving the expressive power of natural‑language models.
• Surjective compression of Code Property Graphs (CPGs) into typed Software Supply‑Chain Knowledge Graphs (SSKGs), enabling tractable global reasoning over millions of nodes/edges.
• Domain‑adapted Graphormer architecture that captures long‑range vulnerability propagation and supports subgraph‑matching in embedding space for zero‑day and APT pattern detection.
• Comprehensive evaluation on three increasingly domain‑specific benchmarks and a hybrid virtual‑physical testbed with hardware from five industrial control system (ICS) vendors, showing superior detection accuracy and lower false‑positive rates versus state‑of‑the‑art tools.

Methodology

1. Abstract Interpretation + Reflexive Prompting

   • The binary is first analyzed with abstract interpretation to produce a coarse‑grained control‑flow and data‑flow summary.
   • This summary is fed as a structured prompt to a local LLM (e.g., Llama‑2), which is forced to generate semantic annotations (function intents, API usage, data classifications) that are grounded in the static analysis output, preventing the model from “making up” information.

2. From Code Property Graph to Knowledge Graph

   • The raw CPG (nodes for instructions, AST fragments, control‑flow edges) is surjectively mapped onto a typed SSKG where each node represents a higher‑level software‑supply‑chain concept (e.g., third‑party library, cryptographic primitive, communication endpoint).
   • This compression reduces graph size by orders of magnitude while preserving the relationships needed for risk reasoning.

3. Graphormer‑Based Global Reasoning

   • A Graphormer (transformer‑style graph neural network) is fine‑tuned on the SSKG to learn embeddings that capture vulnerability propagation across the supply chain (e.g., a vulnerable library used by a driver that talks to a PLC).
   • Embedding‑space subgraph matching is then applied to detect known attack patterns and to flag novel configurations that resemble APT tactics.

4. Risk Scoring & Reporting

   • The system aggregates per‑node risk scores into a global supply‑chain risk metric, which can be exported to existing SCA dashboards or SIEMs for actionable alerts.

Results & Findings

The framework consistently outperformed commercial binary‑analysis tools and recent academic baselines, especially in semantic fidelity (the ability to reconstruct meaningful intent from stripped binaries) and global risk reasoning (capturing cross‑component vulnerability chains).

Practical Implications

• Enhanced Binary SCA for DevSecOps – Teams can now feed production binaries directly into CI pipelines and obtain supply‑chain risk reports without needing source code.
• Zero‑Day & APT Early Warning – Embedding‑based subgraph matching surfaces suspicious patterns that traditional signature scanners miss, giving SOC analysts a head start on advanced threats.
• Scalable Reasoning Across Large Deployments – The surjective graph compression makes it feasible to analyze firmware images from thousands of IoT/ICS devices in minutes, fitting into existing asset‑management workflows.
• Integration Friendly – The output knowledge graph adheres to open standards (e.g., SPDX, CycloneDX), allowing seamless ingestion into existing vulnerability‑management dashboards.
• Reduced Alert Fatigue – By grounding LLM outputs in concrete static analysis facts, the system dramatically cuts hallucination‑driven false positives, lowering the cost of triage for security teams.

Limitations & Future Work

• LLM Dependency – Although reflexive prompting curtails hallucinations, the approach still relies on a locally hosted LLM; performance may vary with model size and training data.
• Abstract Interpretation Scope – The static analysis step may miss dynamic behaviors (e.g., JIT‑generated code) that could affect semantic reconstruction.
• Domain Adaptation Overhead – Fine‑tuning the Graphormer for a new industry vertical requires a curated set of labeled graphs, which can be labor‑intensive.
• Future Directions – The authors suggest (1) incorporating dynamic tracing to complement abstract interpretation, (2) exploring multi‑modal LLMs that ingest binary‑level embeddings directly, and (3) extending the knowledge graph schema to cover cloud‑native supply‑chain artifacts (container images, serverless functions).

Authors

• Bowei Ning
• Xuejun Zong
• Lian Lian
• Kan He
• Yifei Sun
• Yuxiang Lei
• Plamen Vasilev

Paper Information

• arXiv ID: 2605.07737v1
• Categories: cs.SE
• Published: May 8, 2026
• PDF: Download PDF